1# Rules from what was "rules/70_testing.cf", a temporary new home
2#
3# <@LICENSE>
4# Licensed to the Apache Software Foundation (ASF) under one or more
5# contributor license agreements.  See the NOTICE file distributed with
6# this work for additional information regarding copyright ownership.
7# The ASF licenses this file to you under the Apache License, Version 2.0
8# (the "License"); you may not use this file except in compliance with
9# the License.  You may obtain a copy of the License at:
10#
11#     http://www.apache.org/licenses/LICENSE-2.0
12#
13# Unless required by applicable law or agreed to in writing, software
14# distributed under the License is distributed on an "AS IS" BASIS,
15# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16# See the License for the specific language governing permissions and
17# limitations under the License.
18# </@LICENSE>
19#
20########################################################################
21
22# 0.142   0.1814   0.0085    0.955   0.63    0.01  T_PH_SEC
23# 0.159   0.2061   0.0000    1.000   0.66    0.01  T_PH_REC
24body TVD_PH_SEC		/\byour .{0,40}account .{0,40}security/i
25body TVD_PH_REC		/\byour .{0,40}account .{0,40}record/i
26describe TVD_PH_SEC	Message includes a phrase commonly used in phishing mails
27describe TVD_PH_REC	Message includes a phrase commonly used in phishing mails
28
29# 0.234   0.2997   0.0123    0.961   0.68    0.01  T_PH_TVD_7
30# 0.112   0.1390   0.0012    0.992   0.61    0.01  T_PH_TVD_1
31body TVD_PH_7	/\baccount .{0,20}suspen/i
32body TVD_PH_1	/Dear valued .{1,40}(?:member|customer)/i
33
34# 0.153   0.1964   0.0057    0.972   0.64    0.01  T_PH_TVD_FR5
35header __PH_TVD_FROM2	From:addr =~ /\@.*ebay/i
36meta TVD_PH_FR5 !__ENV_AND_HDR_FROM_MATCH && __PH_TVD_FROM2
37
38# 0.134   0.1736   0.0000    1.000   0.64    0.01  T_PP_PHISH
39# 0.124   0.1608   0.0000    1.000   0.64    0.01  T_EB_PHISH
40header __FROM_PAYPAL	From:addr =~ /\@paypal\.com$/i
41header __FROM_EBAY	From:addr =~ /\@ebay\.com$/i
42meta TVD_PP_PHISH	__FROM_PAYPAL && NORMAL_HTTP_TO_IP
43meta TVD_EB_PHISH	__FROM_EBAY && NORMAL_HTTP_TO_IP
44
45# 0.209   0.2612   0.0033    0.987   0.69    1.00  TVD_SUBJ_ACC_NUM
46header	TVD_SUBJ_ACC_NUM	Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/
47describe TVD_SUBJ_ACC_NUM	Subject has spammy looking monetary reference
48
49# bug 4457
50# this may be dealt with by other/less complex rules
51header __LOCAL_PP_S_UPD		Subject =~ m'(?:confirm|update) (?:your|the) (?:billing )?(?:records?|information|account)'i
52body __LOCAL_PP_B_UPD		m'(?:confirm|update|verify) (?:your|the) (?:(?:current|billing) )?(?:records?|information|account|identity)'i
53body __LOCAL_PP_PPCGIURL	m'https?://www.paypal.com/cgi-bin/webscr\?'i
54uri __LOCAL_PP_NONPPURL		m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i
55meta T_LOCAL_PP_UPD_BADURL (__FROM_PAYPAL && ((__LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) || __LOCAL_PP_PPCGIURL) && __LOCAL_PP_NONPPURL)
56describe T_LOCAL_PP_UPD_BADURL paypal account update, but has bad URL
57
58
59ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
60
61# bug 4255: with some ideas from Fred Tarasevicius I came up with a rule that
62# performs pretty decently, worthy of a general mass-check:
63# 0.186   0.2273   0.0030    0.987   0.66    0.01  T_HTTPS_HTTP_MISMATCH_1_12
64# 0.186   0.2273   0.0030    0.987   0.66    0.01  T_HTTPS_HTTP_MISMATCH_1_13
65# 0.185   0.2253   0.0015    0.993   0.66    0.01  T_HTTPS_HTTP_MISMATCH_1_10
66# 0.187   0.2280   0.0045    0.981   0.66    0.01  T_HTTPS_HTTP_MISMATCH_1_14
67# 0.186   0.2266   0.0030    0.987   0.66    0.01  T_HTTPS_HTTP_MISMATCH_1_11
68# 0.189   0.2280   0.0119    0.951   0.65    0.01  T_HTTPS_HTTP_MISMATCH_1_15
69# 0.003   0.0013   0.0089    0.129   0.43    0.01  T_HTTPS_HTTP_MISMATCH_11_15
70# 0.019   0.0013   0.0965    0.014   0.33    0.01  T_HTTPS_HTTP_MISMATCH_11_20
71# generally, hams seem to have a lot of links, whereas phishing mails don't.
72# so compare the domains between https? href and https anchor text, and flag
73# if the number of anchors is inside the given range and the domains don't
74# match.
75# FYI: these rules don't overlap HTTPS_IP_MISMATCH as IPs are ignored in the
76# href -- IPs tend not to be used in ham, so don't bother with the overhead of
77# this rule.  though the two rules are very similar and could definitely share
78# code.  if promoted, the two should get merged together to backup both rules.
79
80# used to be T_HTTPS_HTTP_MISMATCH_1_10, has the best results
81body  HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
82
83endif
84
85########################################################################
86
87# Phishing usually comes from official sounding email addresses.  Could
88# potentially be used to lower FPs if necessary.
89
90#header __TVD_PH_FROM_ACCO From:addr =~ /accounts?\@/i
91#header __TVD_PH_FROM_CUST From:addr =~ /customer[^@]*\@/i
92#header __TVD_PH_FROM_SUPP From:addr =~ /support\@/i
93#header __TVD_PH_FROM_SERV From:addr =~ /service\@/i
94#header __TVD_PH_FROM_BILL From:addr =~ /billing\@/i
95#header __TVD_PH_FROM_NOTI From:addr =~ /notice\@/i
96#header __TVD_PH_FROM_ADMI From:addr =~ /admin\@/i
97#header __TVD_PH_FROM_SECU From:addr =~ /secure\@/i
98#
99#meta __TVD_PH_FROM_ANY __TVD_PH_FROM_ACCO || __TVD_PH_FROM_CUST || __TVD_PH_FROM_SUPP || __TVD_PH_FROM_SERV || __TVD_PH_FROM_BILL || __TVD_PH_FROM_NOTI || __TVD_PH_FROM_ADMI || __TVD_PH_FROM_SECU
100#meta T_TVD_PH_FROM_SUBJ_GOOD __TVD_PH_FROM_ANY && T_TVD_PH_SUBJ_GOOD
101#meta T_TVD_PH_FROM_SUBJ_GOOD2 __TVD_PH_FROM_ANY && T_TVD_PH_SUBJ_GOOD2
102
103########################################################################
104
105# Look at subjects for phishing
106
107# 2011-07-01 Changed by KAM - https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6579
108
109#Changed to Sub Rules
110header __TVD_PH_SUBJ_ACCOUNTS_PRE	Subject =~ /\baccounts? (?:[a-z_,-]+ )*?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|security|updated?|verifications?|confirm[a-z]+)\b/i
111header __TVD_PH_SUBJ_SEC_MEASURES	Subject =~ /\bsecurity (?:[a-z_,-]+ )*?measures?\b/i
112header __TVD_PH_SUBJ_UPDATE		Subject =~ /\bupdate (?:[a-z_,-]+ )*?(?:access|credit|records?|info(?:rmation)?)\b/i
113header __TVD_PH_SUBJ_URGENT		Subject =~ /^urgent(?:[\s\W]*$|.{1,40}(?:alert|response|assistance|proposal|reply|warning|noti(?:ce|fication)|greeting|matter))/i
114header __TVD_PH_SUBJ_ACCOUNTS_POST	Subject =~ /\b(?:(?:re-?)?(?:activat[a-z]*|verify|validate)|secure|restore|flagged|limited|unusual|update|report|notif(?:y|ication)|suspen(?:d|ded|sion)|co(?:n|m)firm[a-z]*) (?:[-a-z_,]+ )*?accounts?\b/i
115
116#REMOVED TVD_PH_SUBJ_META_ALL
117
118#ADDED A META TAG FOR SCORING THE ABOVE RULES SO WE CAN HAVE A SCORE SET.
119meta 		TVD_PH_SUBJ_META1	(__TVD_PH_SUBJ_ACCOUNTS_PRE + __TVD_PH_SUBJ_SEC_MEASURES + __TVD_PH_SUBJ_UPDATE + __TVD_PH_SUBJ_URGENT + __TVD_PH_SUBJ_ACCOUNTS_POST > 0)
120score 		TVD_PH_SUBJ_META1	1.25
121describe 	TVD_PH_SUBJ_META1	Email has a Phishy looking subject line
122
123########################################################################
124
125# Look for lesser matched REs and meta them together
126
127# 0.251   0.3023   0.0000    1.000   1.00    0.01  T_TVD_PH_SUBJ_META
128meta __TVD_PH_SUBJ_META		__TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST
129meta TVD_PH_SUBJ_META		__TVD_PH_SUBJ_META
130
131header __TVD_PH_SUBJ_00		Subject =~ /\brewards? survey\b/i
132
133header __TVD_PH_SUBJ_02		Subject =~ /\byour payment has been sent\b/i
134header __TVD_PH_SUBJ_04		Subject =~ /\baccounts? profile\b/i
135header __TVD_PH_SUBJ_15		Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i
136header __TVD_PH_SUBJ_17		Subject =~ /\bremove limitations?\b/i
137header __TVD_PH_SUBJ_18		Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i
138header __TVD_PH_SUBJ_19		Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i
139header __TVD_PH_SUBJ_29		Subject =~ /^notice(?::|[\s\W]*$)/i
140header __TVD_PH_SUBJ_31		Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i
141header __TVD_PH_SUBJ_36		Subject =~ /\bconsumer notice\b/i
142header __TVD_PH_SUBJ_37		Subject =~ /\bvalued member[a-z]*\b/i
143header __TVD_PH_SUBJ_38		Subject =~ /\bonline bank[a-z]*\b/i
144header __TVD_PH_SUBJ_39		Subject =~ /\bonline department\b/i
145header __TVD_PH_SUBJ_41		Subject =~ /\bunusual activity\b/i
146header __TVD_PH_SUBJ_52		Subject =~ /\b(?:account|online) profile\b/i
147header __TVD_PH_SUBJ_54		Subject =~ /\bun-?authorized access(?:es)?\b/i
148header __TVD_PH_SUBJ_56		Subject =~ /\brespond now\b/i
149header __TVD_PH_SUBJ_58		Subject =~ /\bbilling service\b/i
150header __TVD_PH_SUBJ_59		Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i
151header __TVD_PH_SUBJ_ACCESS_POST	Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i
152
153########################################################################
154
155meta __TVD_PH_BODY_META		__TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08
156meta TVD_PH_BODY_META		__TVD_PH_BODY_META
157meta TVD_PH_BODY_META_ALL	__TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST
158body __TVD_PH_BODY_01		/\baccount .{0,20}placed? [io]n restricted status/i
159body __TVD_PH_BODY_02		/\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i
160body __TVD_PH_BODY_03		/\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i
161body __TVD_PH_BODY_04		/\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i
162body __TVD_PH_BODY_05		/\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i
163body __TVD_PH_BODY_06		/Dear [a-z]+ bank (?:member|customer)/i
164body __TVD_PH_BODY_07		/\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i
165body __TVD_PH_BODY_08		/\bmultiple password failures/i
166
167body __TVD_PH_BODY_ACCOUNTS_PRE		/\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i
168meta TVD_PH_BODY_ACCOUNTS_PRE		__TVD_PH_BODY_ACCOUNTS_PRE
169describe TVD_PH_BODY_ACCOUNTS_PRE	The body matches phrases such as "accounts suspended", "account credited", "account verification"
170
171body __TVD_PH_BODY_ACCOUNTS_POST	/\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i
172meta TVD_PH_BODY_ACCOUNTS_POST		__TVD_PH_BODY_ACCOUNTS_POST
173
174
175
176